Cybercriminals have devised a new way of hacking cardless ATMs using SMS-based phishing attacks.
It has become a new trend with many financial institutions to offer cardless ATM transactions, thereby allowing customers to withdraw cash using only their mobile phones. This definitely makes things easier for the customer, but it does make things easy for cybercriminals too. They add a new number to the customers’ accounts leveraging account credentials that they had stolen through phishing and then use that added device to rob customers of their money from the cardless ATMs.
Brian Krebs, in a post in his very popular website KrebsOnSecurity, writes, “Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works.”
He adds, “In May 2018, Cincinnati, Ohio-based financial institution Fifth Third Bank began hearing complaints from customers who were receiving text messages on their phones that claimed to be from the bank, warning recipients that their accounts had been locked…The text messages contained a link to unlock their accounts and led customers to a Web site that mimicked the legitimate Fifth Third site. That phishing site prompted visitors to enter their account credentials — including usernames, passwords, one-time passcodes and PIN numbers — to unlock their accounts.”
In this incident, cybercriminals stole credentials of around 125 Fifth Third Bank customers, mostly in or around Cincinnati area and then used this stolen data to withdraw $68,000, in less than two weeks, from 17 cashless ATMs in Illinois, Michigan, and Ohio. The court documents also show that the hack and ATM robbing incidents continued through October 2018 and the hackers got away with an additional $40,000 until four men suspected of perpetrating the crime were arrested.
Krebs also recollects another incident that happened in January 2017- “In January 2017, KrebsOnSecurity told the story of a California woman who saw nearly $3,000 drained from her account via a cardless ATM operated by Chase Bank. In that incident, the thieves didn’t even need to know her ATM PIN; the thieves were able to use a phone number and mobile device they controlled and associate it with her Chase account simply by supplying her username and password.”
He notes, “As the January 2017 story illustrates, cardless ATM scams aren’t new, but they are becoming more prevalent as more banks turn to cardless ATM technology as a convenience for customers,”, and adds, “This time last year, cardless ATMs were offered mainly by the big banks, and then only at some of their ATMs. Now, many smaller regional and local banks have upgraded their cash machines to enable the new technology.”
Cardless ATMs are of course a new trend, people are just beginning to use it and the majority are just beginning to hear of it. But it would soon be a very popular thing, which means cybercriminals too would be targeting cardless ATMs in many ways, in the times to come. The best thing to do, to prevent your money from getting stolen from cardless ATMs, is to refrain from responding to requests for personal or financial information via email, text messages or in any other way over your phone. Whenever you have a doubt about a call, email or message seeking information about your account, contact your bank directly and re-confirm things.
